What Is .htaccess – Guide to File Configuration & Uses

November 28, 2006 / General Discussion

Introduction to .htaccess

.htaccess is a small text file that controls the configuration aspects of an Apache web server. Most people are familiar with the .htaccess file in relation to the ability to restrict access to a directory via password protection. However, .htaccess can do a lot more than password protection.

The .htaccess file is an extremely powerful configuration tool that customizes how your website behaves and how your web server handles requests. You can create multiple .htaccess files for your website. Moreover, you can have one in every directory if needed.

However, .htaccess controls the directory it is placed in, as well as all the directories within that directory. Therefore, many people only use one .htaccess file — typically the one located in the root directory.

If you password-protect a directory, place a .htaccess file in that specific directory, assuming it isn’t your root directory.

.htaccess Authentication Tutorial

Sometimes, it becomes necessary to make a specific directory of your website off-limits to the general public. Perhaps you have a members-only section or an administrative area that shouldn’t be publicly accessible.

By using the .htaccess file with the .htpasswd file, you can easily restrict access. When visitors try to access that protected area, they are prompted for a username and password. Access is granted only after entering valid credentials.

To set up password protection, you’ll need to telnet into your web server. Although telnet access isn’t mandatory and there are alternatives, this tutorial focuses on the telnet method.

Example .htaccess File

AuthUserFile /path/to/your/password/file/.htpasswd
AuthGroupFile /dev/null
AuthName "Restricted Stuff"
AuthType "Basic" require valid-user

The .htaccess file affects the directory it resides in and overrides the pre-configured server settings. Additionally, it impacts all subfolders recursively.

For example, if you password-protect a folder at http://www.website.com/restricted/ by placing this .htaccess file there, not only the restricted folder but also all subfolders within it will be password-protected.

The first line (AuthUserFile) specifies the path where the server looks for the password file. Adjust /path/to/ accordingly. Keep the file name .htpasswd. The next line (AuthGroupFile) defines access groups. Setting it to /dev/null means there are no specific groups.

The AuthName line allows you to display a message describing the login area. Finally, require valid-user ensures only authorized users gain access.

Creating the .htpasswd File

The .htpasswd file contains the usernames and passwords that can access your protected directory. Log in via telnet and navigate to the directory where your password file resides.

To create a new .htpasswd file, type:

htpasswd -c
.htpasswd johndoe

You’ll be prompted to assign and confirm a password. To add more users, use the same command without the -c flag.

htpasswd
.htpasswd janedoe

Passwords are stored in encrypted form. A sample file may look like this:

johndoe:rngxrrnRhGdFo
janedoe:3lmIn9MHfWkKc
 

.htaccess Redirection Tutorial

Sometimes, you must redirect users from one page to another. For instance, if a search engine lists a page that no longer exists, you can redirect visitors instead of showing a 404 error.

Add this line to your .htaccess file:

Redirect /main.html
http://www.website.com/index.html

This command redirects all requests for main.html to index.html. You can use this format to redirect multiple pages easily.

.htaccess and Customized Error Messages

Web servers usually generate plain error pages. However, creating custom error pages can greatly improve user experience and keep your website design consistent.

There are five major error types:

400 Bad Request
401 Authorization Required
403 Forbidden
404 File Not Found
500 Internal Server Error

Design HTML pages for each error message, include helpful links, and store them in an /errors directory. Then, update your .htaccess file as follows:

ErrorDocument 400 /errors/400.html
ErrorDocument 401 /errors/401.html
ErrorDocument 403 /errors/403.html
ErrorDocument 404 /errors/404.html
ErrorDocument 500 /errors/500.html

Placing these lines in the root directory ensures that the entire site uses your custom error pages.

Preventing Access to .htaccess Files

Since .htaccess files usually reside in the root directory, it’s important to prevent visitors from viewing them directly. Otherwise, they could see sensitive information like password file paths or access rules.

Add these lines to your root .htaccess file:

order allow,
deny deny from all

These rules ensure visitors can’t access any .htaccess file on your site.

Enabling Script Execution

Sometimes, scripts fail to run because of configuration restrictions. If your error log shows “Options ExecCGI is off on this directory,” add the following line to your .htaccess file located in the same directory as your script:

Options
ExecCGI

This command grants permission for scripts (like .cgi or .pl files) to execute properly.

Restricting Access to a Directory (Specific IPs or Hosts)

You can restrict or allow access to specific IPs or hostnames using .htaccess. Create your file as shown below:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName AllowLocalAccess
AuthType Basic order deny,allow deny from 0.0.0.0 allow from all

Replace 0.0.0.0 with the IP address or hostname you want to block. Doing this prevents that specific source from accessing your directory.

Final Thoughts

The .htaccess file is an essential tool for improving security, flexibility, and user experience on an Apache server. When used correctly, it can safeguard sensitive areas, customize error handling, and improve overall site performance.

Need help with your .htaccess file? Learn how to find the Missing .htaccess file? now.